Summary: | app-arch/unzip: null pointer dereference | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | CONFIRMED --- | ||
Severity: | major | CC: | base-system |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=831190 | ||
Whiteboard: | A2 [upstream] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2022-08-24 18:57:31 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bff42a923fb9b8ce5af167cc3032420d4a666307 commit bff42a923fb9b8ce5af167cc3032420d4a666307 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-08-25 02:18:16 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-25 02:19:14 +0000 app-arch/unzip: add 6.0_p27 Contains patches for CVE-2022-0529, CVE-2022-0530 (bug 831190) and for a unicode issue which *might* be CVE-2021-4217 (bug 866386). Bug: https://bugs.gentoo.org/866386 Bug: https://bugs.gentoo.org/831190 Signed-off-by: Sam James <sam@gentoo.org> app-arch/unzip/Manifest | 1 + app-arch/unzip/unzip-6.0_p27.ebuild | 93 +++++++++++++++++++++++++++++++++++++ 2 files changed, 94 insertions(+) I saw this in Debian's changelog: """ unzip (6.0-27) unstable; urgency=medium * Apply upstream patch for CVE-2022-0529 and CVE-2022-0530. - Fix null pointer dereference on invalid UTF-8 input. - Fix wide string conversion in process.c. Closes: #1010355. """ But I don't think it's related to this bug, I'd misread it (it's all to do with bug 831190). Nobody (Ubuntu, Debian, RH) have patched this, so no idea if htere's even a fix out there. |